From d3f9fa35b7b1bc3830101f4aa203a52953b59528 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Andreassa?= Date: Thu, 20 Nov 2025 12:43:45 -0800 Subject: [PATCH] fix: Include security warning in ExternalAccount and ImpersonatedServiceAccount credentials --- lib/googleauth/external_account.rb | 9 +++++++++ lib/googleauth/impersonated_service_account.rb | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/lib/googleauth/external_account.rb b/lib/googleauth/external_account.rb index f6181bc0..6f88b455 100644 --- a/lib/googleauth/external_account.rb +++ b/lib/googleauth/external_account.rb @@ -40,6 +40,15 @@ class Credentials # Create a ExternalAccount::Credentials # + # @note Warning: + # This method does not validate the credential configuration. A security + # risk occurs when a credential configuration configured with malicious urls + # is used. + # When the credential configuration is accepted from an + # untrusted source, you should validate it before using with this method. + # See https://cloud.google.com/docs/authentication/external/externally-sourced-credentials + # for more details. + # # @param options [Hash] Options for creating credentials # @option options [IO] :json_key_io (required) An IO object containing the JSON key # @option options [String,Array,nil] :scope The scope(s) to access diff --git a/lib/googleauth/impersonated_service_account.rb b/lib/googleauth/impersonated_service_account.rb index c5031ffb..b659c4ff 100644 --- a/lib/googleauth/impersonated_service_account.rb +++ b/lib/googleauth/impersonated_service_account.rb @@ -72,6 +72,15 @@ class ImpersonatedServiceAccountCredentials # and request short-lived credentials for a service account # that has the authorization that your use case requires. # + # @note Warning: + # This method does not validate the credential configuration. A security + # risk occurs when a credential configuration configured with malicious urls + # is used. + # When the credential configuration is accepted from an + # untrusted source, you should validate it before using with this method. + # See https://cloud.google.com/docs/authentication/external/externally-sourced-credentials + # for more details. + # # @param options [Hash] A hash of options to configure the credentials. # @option options [Object] :base_credentials (required) The authenticated principal. # It will be used as following: